[p-e-w]

It's not about whether this particular announcement, with these particular executables, is trustworthy or not.

It's about the whole process of regularly downloading and running executables uploaded by individuals to a BBS-type forum being unimaginable in most other parts of the software world, and violating every security "best practice" written about in the past 30 years.

I know that this is how things were once done everywhere. But that was a long time ago.

[Dalewyn]

Are we even in the same universe?

The vast majority of the world still downloads and runs executables uploaded by individuals, albeit perhaps not on a bulletin board or forum (most of those have been killed and replaced by social media).

[wokwokwok]

This argument comes up reasonably regularly.

No, the majority of the world does not download and run binaries from non-reputable sources.

The distinction between reputable and non-reputable varies, but broadly easily spoofable user uploaded content falls into the non-reputable.

Most people download software from trust worthy websites like the official chrome website.

Indeed, the fact that people are continually scammed by this sort of attack is why Apple now refuses to run unsigned binaries by default.

To pretend nothing is wrong here is like pretending JavaScript supply chain attacks don’t exist because you don’t want them to exist.

…and yet. They do exist; wanting it not to be true does not make it so.

Likewise, downloading and running arbitrary binaries from a forum is naive.

You simply want nothing bad to happen.

That does not mean nothing bad will actually happen.

Even if you trust the authors of the posts, how reputable is the forum itself? Are the binary hashes posted? (No, they aren’t).

> I'm new in this forum

^ does not inspire confidence.

[HakanAbbas]

Yes, I'm new in hydrogenaud.io. However, I have been active since 2018 in "encode.su".

This year, "3rd Global Data Compression(gdcc.tech)" organized by Huawei and Barcelona Autonoma University was held. In this competition, I have the world 3rd place in the "Professional Task 6 - Ultra Fast" category(JABBAR). And I spent only 2 weeks of the 5-month competition process for this degree.

We can only share and test such a specific work in specific environments.

[userbinator]

You are simply toeing the line of corporate propaganda, that says people must always submit to centralised authority instead of exercising their own judgement.

That is what is leading us to dystopia.

We are not "pretending", we are simply stating that the magnitude of risk is absolutely tiny.

Insecurity is freedom. Don't let them take away the latter in the name of security.

"There is nothing to fear but fear itself."

[bigfishrunning]

How is sharing source "submitting to a centralized authority"

I don't run any binaries if i can help it

[wokwokwok]

you think the risk is tiny, but:

A) the risk exists.

B) you’ve taken no steps to verify that it’s tiny

C) you’re trusting new users just as much as well established users

D) your community is not as obscure and tiny as you imagine when it floats to the top of HN.

It’s not corporate dictatorship to say “there are bad actors out there looking to take advantage of naive users”; it’s reality.

You can refuse to acknowledge that reality, that’s your choice.

However, it’s probably irresponsible to encourage other people to do so.

[x86a]

take the L